Network Working Group W. Kumari Internet-Draft Google Intended status: Informational G. Huston Expires: April 10, 2016 APNIC October 8, 2015 Believing NSEC records in the DNS root. draft-wkumari-dnsop-cheese-shop-00 Abstract This document cuts down on junk queries to the DNS root and improves performance by answering queries locally from compliant resolvers. It does this by actually believing the NSEC responses. [ Ed note: Text inside square brackets ([]) is additional background information, answers to frequently asked questions, general musings, etc. They will be removed before publication.] [ This document is being collaborated on in Github at: https://github.com/wkumari/draft-wkumari-dnsop-cheese-shop. The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests ] Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 10, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. Kumari & Huston Expires April 10, 2016 [Page 1] Internet-Draft If I've told you once... October 2015 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Background . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Believing NSEC records. . . . . . . . . . . . . . . . . . . . 2 2.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 3 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 3 6.1. Normative References . . . . . . . . . . . . . . . . . . 3 6.2. Informative References . . . . . . . . . . . . . . . . . 3 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 1. Background [ This section may be removed before publication... but I'd prefer not, it provides useful context ] The title of this draft (draft-wkumari-dnsop-cheese-shop) comes from a famous Monty Python skit - "The Cheese Shop". Knowledge of the skit is mandatory background knowledge for this document... Video here: https://www.youtube.com/watch?v=PPN3KTtrnZM 2. Believing NSEC records. This is a simply a refinement of [I-D.fujiwara-dnsop-nsec-aggressiveuse], for a limited use case. Fiull credit to the authors of the aforementioned draft, and this draft does not replace that draft, nor remove the need for the broader consideration of the use of NSEC records as described in [I-D.fujiwara-dnsop-nsec-aggressiveuse]. The scope of this document is addressed specifically to recursive validating resolvers when querying the root zone. Kumari & Huston Expires April 10, 2016 [Page 2] Internet-Draft If I've told you once... October 2015 If the (DNSSEC validated) answer to a query to a root server is an NXDOMAIN then the resolver SHOULD cache the NSEC record provided in the response. The resolver should NOT send further queries for names within the range of the NSEC record for the lifetime of the cached NSEC TTL. Instead, the resolver SHOULD answer these queries directly with NXDOMAIN (and NSEC records if so signalled by EDNS). They SHOULD set the AA bit and AD bits. 2.1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. IANA Considerations This document contains no IANA considerations. [ We MAY want to add something about setting the NSEC TTL appropriately?! ] 4. Security Considerations TODO: Fill this out! 5. Acknowledgements The authors wish to thank some folk. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ RFC2119, March 1997, . 6.2. Informative References [I-D.fujiwara-dnsop-nsec-aggressiveuse] Fujiwara, K. and A. Kato, "Aggressive use of NSEC/NSEC3", draft-fujiwara-dnsop-nsec-aggressiveuse-01 (work in progress), July 2015. Kumari & Huston Expires April 10, 2016 [Page 3] Internet-Draft If I've told you once... October 2015 Appendix A. Changes / Author Notes. [RFC Editor: Please remove this section before publication ] From -00 to -01. o Nothing changed in the template! Authors' Addresses Warren Kumari Google 1600 Amphitheatre Parkway Mountain View, CA 94043 US Email: warren@kumari.net Geoff Huston APNIC 6 Cordelia St South Brisbane QLD 4001 AUS Email: gih@apnic.net Kumari & Huston Expires April 10, 2016 [Page 4]